Bukkii Phone is built and operated to meet the standards of the Health Insurance Portability and Accountability Act (HIPAA). Every call, message, and AI interaction handling Protected Health Information (PHI) is encrypted, logged, and protected — backed by a signed Business Associate Agreement (BAA).
Bukkii Phone treats voice, text, and AI-generated data with the same protections required for medical records.
Encrypted with AES-256 at rest and accessible only to authorized staff. Auto-deleted after retention window expires.
Two-way SMS and AI-summarized voicemails are encrypted end-to-end. PHI is masked in our internal systems and admin tools.
Phone numbers, timestamps, call duration, and AI conversation logs all treated as PHI. Logged to a tamper-evident audit trail.
Our AI Assistant runs in HIPAA-eligible regions. PHI never leaves the BAA-covered infrastructure — no third-party LLM exposure.
Booking records, calendar syncs, and reminder messages are scoped per practice. Cross-tenant data isolation is enforced at the database level.
Backups are encrypted with separate keys, geo-redundant within the United States, and deleted on customer request within 30 days.
SSO via Okta / Google Workspace, mandatory 2FA for admins, role-based access controls (RBAC).
AES-256 at rest (AWS KMS managed keys) and TLS 1.3 for all data in transit. Customer-managed keys (CMK) available on Enterprise.
PHI processed inside private VPCs with no direct internet exposure. Egress monitored and restricted to approved endpoints.
Every access to PHI logged with user, IP, timestamp. Retained 6 years per HIPAA §164.316(b)(2)(i). Customer-exportable.
Incident response plan tested quarterly. Notification within 60 days of discovery, per HIPAA Breach Notification Rule.
All PHI stored and processed exclusively in U.S.-based AWS regions (us-east-1 & us-west-2). No data transfers outside HIPAA-eligible infrastructure.
A BAA is required by HIPAA whenever a vendor (Business Associate) handles PHI on behalf of a covered entity. We sign BAAs at no extra cost on Pro and Business plans, and provide a standard template within one business day of request.
Request a BAA →From solo practitioners to multi-location groups, Bukkii Phone supports the full range of healthcare and wellness providers handling PHI.
DSOs, solo dentists, orthodontics
Botox, laser, IV therapy clinics
Family medicine, urgent care
Therapy, counseling, psychiatry
Eye exams, contact lens, LASIK
Dermatology, chiropractic, physical therapy
ASCs, plastic surgery, podiatry
Independent & specialty pharmacies
HIPAA is the floor — we operate to higher security frameworks audited by independent third parties.
Privacy, Security & Breach Notification Rules
Annual audit (security, availability, confidentiality)
In progress · expected Q4 2026
For payment processing (via Stripe)
[email protected] with your practice name and we will send a counter-signed BAA within one business day. You can begin using non-PHI features immediately while the BAA is in flight.us-east-1 and us-west-2). We do not transfer PHI to non-HIPAA-eligible regions, third-party processors, or international data centers.